Workspace ONE UEM (SaaS) LAB Setup – Part 1

Introduction: The following blog post aim to cover the basic evaluation of VMWare Workspace ONE UEM, Workspace ONE Access integration and configuration in LAB environments. To deploy in production environment, recommended to refer VMWare Workspace ONE Documentation.

  1. The following design architecture, I am planned to setup in my LAB.

  1. The following Prerequisites required:
  2. VMWare Workspace One UEM, Workspace ONE Access

    We can also make use of 30days trail subscription of Workspace ONE UEM SaaS Tenant, Workspace ONE Access SaaS Tenant.

    In my case I am using VMWare sandbox Tranent as below:

Workspace ONE UEM UEM Console version: (2101)
Workspace ONE Access Console Version:
  1. On-Premises Servers Requirement:
Sl No Server name Server Role OS Version vCPU vRAM (GB) vDisk (GB) IP Address Remarks
Airwatch Cloud Connector
Windows Server 2012 R2 2 2 50 I have installed Airwatch Cloud Connector on AD DS Server.
Production setup recommend having separate server.
02 LABWS1ACC01 WS1 Access Connector 2 2 50

Note: Airwatch Cloud Connector,
WS1 Access Connector Servers sizing based on my lab requirements.

Production deployment recommended to follow the VMware recommended Architecture hardware sizing Guidelines.

  1. I have selected the following Endpoint Devices for testing:
Device Type OS Version Qty Remarks
Android 10 1 Samsung Galaxy S10+
iOS 14.4 1 Apple Phone 7+
Windows 10 Education Edn. 1809
(OS Build 17763.1697)
1 Virtual Machine
macOS Catalina 10.15.5 1

Let’s get start the installations of ACC step by step.

  1. Installation and Configuration.

C(1): Install and Configure the Airwatch Cloud Connector

  1. Login to Workspace ONE UEM Console

  2. From the main menu, navigate to Groups & Settings— > All Settings– > System— > Enterprise Integration –> Cloud Connector.
  3. Select Override.

  4. Select Enable for Enable Airwatch Cloud Connect Setting.
  5. Select Enable for Enable Auto Update (Note. This is LAB setup I have selected Auto Updates, Production environment you need to consider your organisation upgrade policy)
  6. Click the Advanced tab and ensure that Use External AWCM URL is highlighted

  7. Click Save and wait for the certificate to be populated
  8. Click the General tab and click Download Airwatch Cloud Connector Installer

  9. You will get a prompt to key in the download password, enter password: xxxxxx (minimum 6 characters long)
  10. Click Download

  11. Click Save File
  12. After the Download finishes.

  13. Copy the installer file to Airwatch Cloud Connector Server

  14. Rick click Airwatch Cloud Connect Installer and Select Run as an Administrator
  15. Click Next

  16. Select the check box for I accept the terms in the license agreement and click Next

  17. Accept the default installation path and click Next. (Note. Production installation you may have to select different path based on your IT Policy)

  18. For the certificate password, Enter password: xxxxxx
  19. Click Next
  20. Verify the check box for Outbound Proxy? I am not using proxy, so I deselected and Click Next.

  21. Click Install

  22. Installer prompt to inform that TLS 1.2 registry keys were added, Click OK.

  23. Click Finish

  24. You may receive a prompt to restart the Server, Click Yes to continue
  25. Login to Server and Verify that the AirWatch Cloud Connector service is running.

  26. Airwatch Cloud Connector installation log available at below location.

  27. Let’s switch to WS1 UEM Console, Open the Cloud Connector Page to test the connector Connection test.
  28. Main Menu navigate to Groups & Settings– > All Settings– > System– > Enterprise Integration– > Cloud Connector

  29. Click Test Connection

    Airwatch Cloud Connector Installed successfully.

C(2): Configure Active Director Service in Workspace ONE UEM Console.

The following steps need to be done in WS1 UEM Console to configure AD Services:

  • Integrate WS1 UEM Environment with AD Service
  • Configure Filter Searches to identify Users and User Groups.
  • Configure the Setting to Auto-Merge and Synchronize changes between WS1 UEM groups and AD Service Groups.
  • Map attribute values between WS1 UEM user attributes and AD attributes.

Let’s start the AD and WS1 UEM integration Configurations:

  1. Login to Workspace ONE UEM Console

  2. Click on Groups & Settings, Select All Settings

  3. Click on Systemà
    Enterprise Integrationà
    Directory Services

  4. Select Server tab, Select Current Setting set to Override
    1. Select Directory Type: LDAP – Active Directory
    2. DNS SRV select Disabled
    3. Server: RWSDC01.LABDC.COM (enter Active Directory FQDN name)
    4. Encryption Type: NONE
    5. Port: 389
    6. Protocol Version: 3
    7. Use service account Credentials: Disabled
    8. Bind authentication Type: GSS-NEGOTIATE
    9. Bind user name: labdc\uemsync
    10. Password: xxxxxx
    11. Domain: LABDC.COM
    12. Click Test Connection to verify the connectivity
    13. Click Save

  5. On the Directory Services page, Click the User tab and type the User Settings
    1. Click + sign next to the Base DN Box.
    2. In the Base DN menu Select DC=labdc,DC=com
    3. Click Save

  6. On the Directory Services page, Click the Group tab and type the Group Settings
    1. Click + sign next to the Base DN Box.
    2. In the Base DN menu Select DC=labdc,DC=com
    3. Group Object Class: group
    4. Organizational Unit Object Class: organisationalUnit
    5. Expand > Advanced to display additional settings
    6. Make sure that “Auto Sync Default and Auto Merge Default Selected

I. Selecting the Auto sync and Auto merge option settings automatically adds or removes users in WS1 UEM configured user groups based on their membership in Active Directory Services and automatically applies synchronization changes without requiring an admin’s approval.

II. Adjust the Maximum allowable changes limit as per your requirement.

  1. Scroll down to the Attribute / Mapping Value Section
  2. Change the mapping value for Organizational Unit to cn
  3. Click Save
  4. Click Test Connection to
    verify the Configuration and click by clinging X at the top right corner.

Now the directory Service user / groups attributes mapping configuration completed. Next will enable Directory Authentication Enrollment.

C(3): Enable Directory Authentication Enrollment.

  1. Login to Workspace ONE UEM Console:
  2. Goto Groups & Settings
    All Settingsà
    Devices & Users
    à Generalà
    1. Current Setting: Select Override
    2. Authentication Modes, Select Basic and Directory
    3. Click Save

  1. Click on Grouping tab
    1. Current Setting: Click Override
    2. Group ID Assignment Mode: Select Default
    3. Click Save

  1. After saving successful click on X mark to close the setting page.

C(4): Configuration of Importing a user group.

This configuration required to import the user groups from existing Active directory into Workspace ONE UEM.

  1. Workspace ONE UEM Console navigate to Accountà Users Groupà
    List ViewàAddà
    Add User Group

  1. Add User Group page:
    1. select Type: Directory
    2. External Type: Group
    3. Search Text type” group name and click Search

  1. Select Group name in my case “awusers
  2. Click Save
  1. Select imported group name “awusers” and click on More Action and Select Add missing Users

  1. Verify the user’s part the group added into UEM

  1. We can see the about 10 users have been added from AD group to UEM

  1. Click on pencil mark near the Group name

  1. In General tab Select Add Group Members Automatically to Enabled

  1. Click Save

We have successfully synchronized the Active Directory users accounts to Workspace ONE UEM.

Next part 2 will focus on installation and configuration of Workspace ONE Access connector. Stay tune for next post soon.

Thanks for visiting my blog post.